# Copyright 2018 The Kubernetes Authors. # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "gcsfuse-sidecar-validator.csi.storage.gke.io" spec: matchConstraints: resourceRules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: ["CREATE"] matchConditions: - name: "include-pods-with-gcsfuse-volumes" expression: 'object.metadata.?annotations["gke-gcsfuse/volumes"].orValue("") == "true"' - name: "include-pods-with-native-sidecar" expression: 'has(object.spec.initContainers) && object.spec.initContainers.exists(c, c.name == "gke-gcsfuse-sidecar")' variables: - name: "sidecar" expression: 'object.spec.initContainers.filter(c, c.name == "gke-gcsfuse-sidecar")[0]' validations: - messageExpression: '"the native gcsfuse sidecar init container must have restartPolicy:Always."' reason: Invalid expression: |- has(variables.sidecar.restartPolicy) && variables.sidecar.restartPolicy == "Always" - messageExpression: '"the native gcsfuse sidecar init container must have env var NATIVE_SIDECAR with value TRUE."' reason: Invalid expression: |- has(variables.sidecar.env) && variables.sidecar.env.exists(e, e.name == "NATIVE_SIDECAR" && e.value == "TRUE") --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "gcsfuse-sidecar-validator-binding.csi.storage.gke.io" spec: policyName: "gcsfuse-sidecar-validator.csi.storage.gke.io" validationActions: [Deny]